Password tips from the largest stolen credentials database

How many of your online accounts or services require passwords? So many to remember. What’s your personal technique – your children’s names; adding a number each time it needs updating or a password manager?

Irdeto’s Cybersecurity Services team obtained a copy of the largest aggregated database of stolen credentials. Further to our data scientists’ initial findings, let me share some insights when it comes to passwords.

Predictably easy to hack
Using the Top 100 passwords in the database, we can see that they’re weak passwords. Here’s a few examples:

Figure 1: Examples of Top 100 passwords from largest stolen credentials database

Qwerty is an example of a keyboard walk. This is where people use a pattern as the basis for the password instead of a phrase, for instance.

Figure 2: Gif from static-independent.co.uk

Why does it matter?
Some people do have different levels of passwords. Easier ones for one-off services and stronger, more complex for other accounts. However, lots of people re-use or use easy to remember passwords. They don’t change them regularly as it’s difficult to come up with a new password they’ve not used before or they just forget.

It’s this type of complacent behavior that hackers exploit using brute force attacks such as a Dictionary attack, or testing them against the 50 most popular used passwords list. Our data scientists confirmed that many of those 50 appeared in the stolen credentials database. Hackers will also use phishing techniques or other hacking threats to obtain the credentials.

If you’re not vigilant, then you increase the likelihood that your credentials will be hacked. Not only that, but you run the risk that you’re exposing yourself to identify theft and other cybercrime thefts.

What happens to stolen credentials?
Stolen user names and passwords – credentials – are first validated against other online/OTT sites. The purpose is to test how prevalent that combination of username/password is. The more a user re-uses the same combination, the more valuable it is for the hacker.

Those ‘washed’ credentials are then used to create an expanded database which can either be sold or more typically used to “sell access” to a provider; e.g. Netflix.

What can be done?
From a personal perspective, be more diligent about protecting your online identity. Use different strong passwords with a combination of letters, symbols and numbers for each account, rotate them frequently or use a password vault, for instance.

For companies who hold consumer’s credentials, it’s beneficial to work with a trusted security partner who has proven experience monitoring the dark web and account generator sites for stolen credentials. That partner will be able to assist you in defining a security strategy and implementing measures – technical and procedural, for instance 2 factor authentication, to further harden your systems as well as educate your customer base about better password security.